Skip to main content
Normal View

Dáil Éireann debate -
Wednesday, 25 Jan 2017

Vol. 936 No. 1

Criminal Justice (Offences Relating to Information Systems) Bill 2016: Second Stage

I move: "That the Bill be now read a Second Time."

I am very pleased to introduce this Bill to the House on behalf of my colleague, the Tánaiste and Minister for Justice and Equality, Deputy Frances Fitzgerald, who regrets that she is unable to be present.

The Criminal Justice (Offences Relating to Information Systems) Bill 2016 is a relatively short but significant piece of legislation. I cannot but be struck that we are following on from the previous Bill, the National Shared Services Office Bill, which contains many references to data protection and so on. There is, therefore, a seamless move between the two Bills in some ways. The main purpose of this Bill is to give effect to provisions of Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems. The Bill will also give effect to many of the key provisions of the Council of Europe Convention on Cybercrime, the Budapest convention, which Ireland signed in 2002.

The legislation before us reflects the EU directive in that it provides for criminal offences in relation to attacks against information systems and establishes effective, proportionate and dissuasive penalties for such offences, the most serious of which could result in a term of imprisonment of up to ten years. The offences provided for relate to information systems and data and do not cover content-related matters. The Bill creates new offences relating to unauthorised accessing of information systems; unauthorised interference with information systems or with data on such systems; unauthorised interception of transmissions of data to or from information systems; and the use of tools, such as computer programmes, passwords or devices, to facilitate the commission of these offences relating to information systems.

Before outlining the content of the Bill in more detail, I will provide some context for the legislation. It is true to say that information systems are very much part of our daily lives in the modern world. They are increasingly relied upon by governments, businesses and individuals alike. The term "information system" itself, as defined in the Bill, is deliberately broad, encompassing all devices involved in the processing and storage of data, and not only those considered to be "computer systems" in the traditional sense. This reflects the range of modern communications and data storage technology currently available, such as tablets and smartphones. Information systems also encompass the IT infrastructure or networks that support communication systems and individual devices as well as data. The term "data" is also broadly circumscribed in the Bill as meaning any representation of facts, information or concepts in a form capable of being processed and includes a programme capable of causing an information system to perform a function.

There is no doubting the very significant benefits which modern information systems bring to our lives. However, reliability on such systems can also unfortunately mean vulnerability. New technology creates opportunities for new crimes. Cybercrime and attacks on information systems have become increasingly problematic and challenging across Europe and the world in general. The European Commission brought forward its proposal for a directive in this area against a backdrop of steadily increasing cybercrime. This included previously unknown large-scale and dangerous attacks against the information systems of entities, such as banks, the public sector and even the military, in EU member states and other countries. New concerns emerged in this area, such as the massive spread of malicious software. Such "malware", as it is termed, can, for instance, create what are known as "botnets", which are networks of infected computers that can be remotely controlled to stage large-scale co-ordinated attacks. These networks of compromised computers may be activated, often without the knowledge of the users of these computers, to perform specific actions such as attacks against information systems.

The interconnection of computers and information systems through cyberspace facilitates communication between companies and individuals across the world. What has become clear is that as cyberspace has developed and evolved, as has cybercrime, which is a transnational phenomenon. Traditional law is based on physical geography whereas cybercrimes occur in the "virtual" world of cyberspace and readily intersect and transcend national boundaries. There is a clear need, therefore, for international co-operation in this area and for harmonisation of national laws to counter the very real threats faced. It is vital that we seek to protect citizens, businesses and government structures alike from cyberattacks which represent such a growing challenge in the modern technological environment. This is the central aim of the Bill.

I now propose to outline in more detail the content of the Bill, which contains 17 sections and largely reflects the EU directive on attacks against information systems, as I mentioned. Section 1 provides the necessary interpretation provisions for the Bill and includes a definition of "information system". The term "information system", rather than "computer", is used in order to enable the Bill to have the widest possible application, taking account of rapidly evolving technology in this area. This section also includes a broad definition of "data". Both these definitions are based on the definitions contained in the directive. Further important definitions in section 1 relate to the concepts of "lawful authority" and "right holder". These are particularly significant in relation to how the offences under sections 2 to 6, inclusive, of the Bill are framed. I will outline these offences presently, having made a couple of preliminary comments in this regard.

The activities concerned such as access to or interference with information systems or data are not offences if they are performed with lawful authority such as with the permission of the owner or right holder of the system. It is clearly not intended to criminalise the activities of those who have authority to access information systems or possess a computer programme or code for the purpose of maintaining, testing or protecting information systems. There are, for example, companies which carry out such activities legitimately in the course of their work, which could involve testing the security of information systems and protecting them from attack. Such companies are effectively exempt from the provisions of the Bill. A further point of commonality in the manner in which the offences under sections 2 to 6, inclusive, are framed is the notion of intent. When the activities described are carried out with lawful authority and without criminal intent, they cannot be considered to be offences.

Section 2 provides that it is an offence to intentionally access an information system by infringing a security measure without lawful authority or reasonable excuse. Section 3 provides that it is an offence to intentionally interfere with an information system so as to hinder or interrupt its functioning. It also describes the various means of interference such as, for example, inputting data to the system, damaging or deleting data or making data on the system inaccessible.

Section 4 provides that it is an offence to intentionally interfere with data on an information system, for example, by deleting, altering or causing the deterioration of the data. Section 5 provides that it is an offence to intentionally intercept the non-public transmission of data to or from or within an information system. Section 6 provides that it is an offence to intentionally produce, sell, import, distribute or otherwise make available a computer programme or any device, computer password, access code or similar data for the purpose of the commission of an offence under section 2, 3, 4 or 5. It will be noted that the direct intention to commit an offence is specifically required in relation to this provision, in addition to the general intent requirement contained in all of the offence provisions. This reflects the requirements of the EU directive and has been designed to avoid criminalisation where such tools or devices are produced and put on the market for legitimate purposes such as testing the security of information systems.

Section 7 allows a search warrant to be issued to An Garda Síochána by the District Court for the investigation of the suspected commission of offences under the Bill. It also sets out the process involved and provides for related matters. It includes a requirement that a person under investigation shall, on request, provide the Garda with any password or key code necessary to operate a computer or access the data. This provision essentially replaces the search warrant provision in section 13 of the Criminal Damage Act 1991 insofar as it relates to data and applies the provision generally to the investigation of offences relating to information systems. Section 13 of the Bill amends the 1991 Act and includes a transitional provision in respect of search warrants issued under the Act. I will return to section 13 and the Criminal Damage Act shortly.

Section 8 sets out the penalties for the commission of offences under sections 2 to 6, inclusive. It provides that a person who commits an offence under section 2, 4, 5 or 6 will be liable, on summary conviction, to a fine of up to €5,000 or imprisonment for a term of up to 12 months, or both. On conviction on indictment, the offences are punishable by a fine or a term of up to five years in prison, or both. The same penalties apply on summary conviction for offences committed under section 3 which relates to unlawful interference with an information system but conviction on indictment for this offence carries an even more prohibitive penal sanction of up to ten years. This penalty reflects the gravity of the offence and the potential for damage in which unlawful interference with an information system could result.

Section 8 further provides that fraudulent use of the personal data of another person will be treated as an aggravating factor when the court is determining sentence for an offence under section 3 or 4. It also provides for penalties for offences in relation to the search warrant provisions in section 7. Such offences include obstructing a Garda member acting under authority of a search warrant, failure to provide information to facilitate Garda access to a computer or failure to give the Garda a correct name and address.

Section 9 clarifies that where an offence under the Bill is committed by a body corporate, liability will rest with the person acting on behalf of the body corporate, as well as with the body corporate. It may be necessary for the Tánaiste and Minister for Justice and Equality to bring forward a minor but essentially technical amendment to the section on Committee Stage. Legal advice is awaited from the Office of the Attorney General in this regard.

Section 10 establishes legal jurisdiction with regard to the commission of offences under sections 2 to 6, inclusive. It provides that a person may be tried in the State for an offence under sections 2 to 6, inclusive, whether the offence is committed in relation to an information system in the State by a person who is inside or outside the State. Legal jurisdiction also extends to the commission of such an offence in relation to an information system outside the State if the person is an Irish citizen, ordinarily resident in the State or a body corporate or company under the law of the State and the act is an offence under the law of the place where it is committed.

Section 11 relates to evidence of Irish citizenship in the context of legal proceedings for offences under the Bill committed outside the State. It clarifies that it is an officer of the Minister for Foreign Affairs and Trade who certifies that a passport has issued and that it is an officer of the Minister for Justice and Equality who certifies that a person has not ceased to be an Irish citizen.

Section 12 deals with the legal concept of "double jeopardy" and provides that a person who has been tried for an offence outside the State will not be proceeded against for an offence under this legislation in respect of which the person has already been tried.

Section 13 amends the Criminal Damage Act 1991 insofar as it relates to damage to computer data in the context of damage to property. The offences contained in the 1991 Act in relation to computer data are being deleted and will instead be covered and expanded on in this legislation. Section 5 of the 1991 Act which relates to unauthorised access to computer data is, for instance, being deleted and replaced by section 2 of the Bill.

Section 14 amends the Bail Act 1997 to include in the Schedule to that Act the offences provided for under sections 2 to 6, inclusive, of the Bill. The Schedule to the 1997 Act specifies serious offences, in respect of which an application for bail may be refused by the court. The offences under sections 2 to 6, inclusive, of the Bill will, therefore, come within this category.

Section 15 is a technical amendment to Schedule 1 to the Criminal Justice Act 2011 which provides for certain powers and procedures in relation to the prosecution and investigation of white collar crime. Schedule 1 specifies the offences which are relevant for the purposes of the 2011 Act and includes the data-related offences which are contained in the Criminal Damage Act 1991 and will be replaced by thd Bill. Section 15, therefore, includes the new offences in the Schedule and also inserts a transitional provision to cover data-related offences which were committed under the Criminal Damage Act prior to commencement of this legislation.

I mention at this point that the Tánaiste and Minister for Justice and Equality proposes to make a minor technical amendment to section 15 on Committee Stage. It relates to the renumbering of the new paragraph 31, which the Bill inserts into the Criminal Justice Act 2011 to 30A as a paragraph 31 has already been inserted into the 2011 Act by other amending legislation.

Section 16 provides that expenses incurred by the Minister for Justice and Equality in the administration of this legislation shall, to the extent sanctioned by the Minister for Public Expenditure and Reform, be paid out of moneys provided by the Oireachtas.

Section 17 is a standard provision providing for the Short Title and commencement of the Bill.

There will, of course, be an opportunity on Committee Stage to discuss in more detail any aspect of the Bill Deputies wish to explore further. I am sure they will agree that it is vital that we seek to safeguard modern information and communications systems and also maintain users' confidence in the safety and reliability of such systems. This is arguably even more important and appropriate in Ireland which has become somewhat of a global cyber hub in view of the number of high tech information technology and Internet-based companies that have major operations here. The legislation ensures unlawful activities relating to information systems will be criminalised and that strong penalties will be in place to both deter and punish offenders. I am pleased, therefore, to commend the Bill to the House.

I do not know if the Ceann Comhairle makes awards to Deputies for hard work and working long hours, but if he does, I would like to nominate Deputy Jonathan O'Brien and myself as we started our public duties in Leinster House at 9 a.m. at the Oireachtas Joint Committee on Justice and Equality and are still going some 13 hours later. He may consider that nomination.

It was not like that in the Law Library, I take it.

Actually, sometimes it was.

I welcome the legislation. When I saw it, I was not aware that this type of offence had not already been criminalised. One would have thought information systems which played such an important part in business and ordinary personal life would be protected from attack, but that does not appear to be the case. I understand the Bill seeks to transpose into Irish law Directive 40 of 2013 of the European Parliament and the Council. We will support its passage on Second Stage and consider whether amendments should be tabled on Committee Stage. I will identify one or two matters and let Deputy Jonathan O'Brien conclude his day's work in the 14th hour.

The offences to be covered are set out in sections 2 to 6, inclusive, which provide for the criminalisation of individuals who access information systems without lawful authority. In the directive which the Bill seeks to transpose it is mentioned that several offences should be criminalised, at least in cases that are not minor.

The Minister of State might also turn his mind to whether in section 2 a definition is needed of "a security measure". If we are to criminalise certain behaviour, we need to ensure people are aware that what they are doing is criminal. Section 2 states: "A person who, without lawful authority or reasonable excuse, intentionally accesses an information system by infringing a security measure shall be guilty of an offence". It is important for people to be aware of what is a security measure.

Section 3 deals with "Interference with information system without lawful authority", while section 4 deals with "Interference with data without lawful authority". Section 5 deals with "Intercepting transmission of data without lawful authority", while section 6 deals with "Use of computer programme, password, code or data for purposes of" committing the offences outlined.

Last evening when we dealt with the Criminal Justice (Suspended Sentences of Imprisonment) Bill 2016, I referred to how on many occasions we drafted and debated criminal justice legislation, identified offences and set out what the penalties were. This legislation is consistent with that approach because when we reach section 8, we see what the penalties are. They appear to be universal in that they are a fine or a term of imprisonment. As we said at the committee meeting this morning, we need to become more sophisticated in our choice of penalties in legislation. It is far too easy for legislators, when considering penalties for offences, to insert the usual penalty of imprisonment and/or a fine.

We need to think of other potential penalties that can be imposed. If we continue to keep criminalising different types of behaviour, as we are doing here by criminalising certain behaviour in respect of information data systems, we should be broadening our approach to the nature of penalties that can be imposed.

I do not propose to take any more of our time, other than to say that we will be supporting the passage of the Bill on Second Stage. I ask the Minister to consider whether it is necessary for a definition to be given to a security measure.

I thank the Deputy for being so concise.

I will be even shorter than Deputy Jim O'Callaghan.

Sinn Féin will also be supporting the Bill which, as outlined, gives effect to the provisions of Directive 2013/40/EU. The Bill seeks to amend some existing legislation. The law on cybercrime in Ireland is somewhat outdated, fragmented across a number of pieces of legislation and unwieldy. The provisions in some of those Acts date back as far as the early 1990s. They are no longer fit for purpose. Given the technological advances in the past 20 odd years there is a need to consolidate and modernise laws pertaining to the protection of information and communication systems. For that reason, we will be giving the Bill our full support. We are considering the possibility of tabling one amendment to section 7 concerning search warrants. We wish to tease that out on Committee Stage.

I echo the comments of the previous speaker on section 8. I do not know whether it is feasible for us to move amendments to examine alternatives to the offences that are being proposed under the legislation. Following last night's observation by Deputy O'Callaghan, it is something that we will be paying a lot more detailed attention to in future when Bills come before us.

As the Minister has outlined the Bill's provisions in its 17 sections, I will not repeat them. There will be a debate on Committee Stage. We fully support the Bill, although there is the possibility that we will table one amendment. I will not delay these proceedings any longer than necessary just for the sake of running down the clock. We support the Bill.

I thank the House for giving time to this Bill. As I said earlier, this is significant legislation. I thank Deputies for their contributions and general support for the Bill. It is clear that there is a shared determination to combat cybercrime by bringing our laws up to date. The Bill focuses on protecting information systems, and the data they contain, from unauthorised access or interference. This is vital to the interests of businesses, Government structures and individual citizens alike, given the central role information systems play in all of our lives now. As technology advances and new forms of crime evolve, our legislative frameworks must also develop to counter these threats. Deputy O'Brien is right to say we must bring our laws up to date.

There was a time when crime was usually committed in a physical space, a place where the criminal was also present such as in the traditional forms of fraud or theft. Technology-related offences are committed in cyberspace, where the perpetrator may be at a very distant physical remove from their crime target, operating stealthily and insidiously. While cyber criminals could be considered to operate in a somewhat virtual digital world, remotely and virtually invisibly, the effects of their attacks are very real indeed. In fact, it has been estimated that the cost of cybercrime to the Irish economy is some €630 million a year. Grant Thornton, the consultants who carried out this analysis, discovered that the cost of traditional crimes such as welfare and tax fraud, moving into the online environment, is a significant threat to the economy.

The legislation we are introducing seeks to protect information systems, and their important data, from cyber attacks from both within and outside the State. The Bill makes it an offence to engage in cybercrime activity and provides strong penalties for those found guilty of offences relating to information systems, including up to ten years’ imprisonment if the crime is sufficiently serious.

Cybercrime activities come in many forms. Broadly, they involve criminal attacks on information systems and infrastructures themselves, or on their associated data. Data are an increasingly valuable commodity in the economic world. Information - personal information in particular - carries a premium. Criminal gangs are aware of this and perpetrate large-scale, pervasive attacks involving unauthorised access, collection and use of data for monetary gain.

Some of the more common forms of cybercrime involve identity theft, online Internet scams or fraud, cyber theft from business, cyber extortion, industrial espionage and online intellectual property theft. It is these crimes that are causing the greatest impact economically, both in Ireland and across the globe.

Cybercrime is an international, worldwide problem. It knows or respects no borders. There is a need, therefore, for international co-operation to counter this menace. Harmonisation of national laws is one important way of doing this. By strengthening our laws across Europe and beyond, we present a united front against cybercrime and counter its transnational dimension. The legislation before us will serve to transpose the EU directive on attacks against information systems and ensure that Ireland can stand alongside our European partners in combating criminality in this area and protecting vital infrastructures.

International co-operation is also necessary on a practical, operational level through the sharing of information between police authorities in order to bring cyber criminals to justice and enforce our laws. A key aim of the EU directive, in addition to criminalising offences relating to information systems, is to improve co-operation with and between competent authorities, including the police and other law enforcement services such as Europol and its European Cyber Crime Centre.

For the purpose of exchanging information on cyber offences, member states are required to have an operational national point of contact which is available 24 hours a day, seven days a week. The designated national contact point for Ireland is the Garda Computer Crime Investigation Unit, whose contact details have already been provided to the European Commission and can be made available to other member states and competent specialised agencies and bodies.

The Bill ensures there are no gaps in our laws that can be exploited by those who would seek to perpetrate cyber crimes through unauthorised access to, or interference with, information systems or the important data retained on them. This is clearly important for businesses, the Government sector and individual citizens alike.

Deputy O'Callaghan's initial comment about the time of night reminds me of a Deputy years ago who came in here looking for overtime sheets. I thank Opposition Deputies for their co-operation on this measure and look forward to Committee Stage. I am pleased to commend the Bill to the House.

Question put and agreed to.